openldap-technical January 2009

openldap-technical@openldap.org

45 participants
44 discussions

Re: AW: Question about the manager acccount for the openldap-database
by Quanah Gibson-Mount 09 Jan '09

09 Jan '09

--On Friday, January 09, 2009 8:43 AM +0100 Oliver Steffens <osteffens(a)gc-heat.de> wrote: > Thank you for your quick reply. We will check this solution. Please keep replies on the list. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Need information
by Buddhadeb Bhakta 09 Jan '09

09 Jan '09

Hi All, I would like to use the below C functions which is inside ldap.h header file. ldap_init() ldap_simple_bind_s() ldap_search_s() ldap_unbind() Could anyone please let me know to use these functions, what package should I install? I am using HP-UX B.11.00 version of OS. Please advise. Thanks Buddhadeb

1 0

OpenLDAP as a 'generic' hierarchical data store
by Lorenzo Pastrana 09 Jan '09

09 Jan '09

Hello list, I was wondering lately if I could use OpenLDAP as a 'generic' hierarchical data store for the application I'm planning, and tried to get any hint about feasibility. I found a blog post about OpenDS (http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database), where the author states about Read/write performance parity ... That was the kind of news I just wanted to hear because I'm thinking about a persistence back-end, not just an almost static dataset, but I'm in a genuine PHP environment and Java is not an option; so I naturally tried to get some infos regarding OpenLDAP performance but found nothing recent, and the references I could find are quite discouraging on that matter ... However since 4 to 8 years have passed since the tests I've been reading, I'm still in the hope of a 'a pleasant surprise' as the sun guy sayz ... Does someone has an experience to share about that kind of (mis-)usage of OpenLDAP ? Any pointers to some good and recent reference on the matter are of course well come. Thanks in advance for any information. LP Lorenzo Pastrana - Happy End Vision -------------------------- Design web Conception multimédia Communication visuelle et édition -------------------------- Tél. : 01 42 47 83 09 Fax : 01 47 70 70 19 E-mail : lorenzo.pastrana(a)happyend.fr

5 9

Question about the manager acccount for the openldap-database
by Oliver Steffens 08 Jan '09

08 Jan '09

Hi together, Unfortunately the current (md5-encrypted) password is lost... Is it possible to change the "rootpw" in the "slapd.conf" from an md5-one into a new plain-text one without any problems respectively additional efforts? Thank you for your help in advance! Best regards Oliver Steffens

2 1

LDAP Host access best practices
by Mathew Rowley 07 Jan '09

07 Jan '09

I am fairly new to LDAP in general, so please excuse any syntax errors. I have a radius proxy which will query an LDAP data store to determine if a user has access to a host. I want to reuse the concept of how users are defined: Ou=users -> defines all users Ou=groups -> defines all groups Ou=groups,cn=groupname -> links the users to the group With hosts. My problem is that I cannot find any specific formal definition on how this is done (in terms of what each subtree¹s objectClass should be). Has anyone done this, or can point me in the right direction? All the user/groups based stuff is based on posixGroup, which im pretty sure is unix/linux concept can this be used for what I am trying to do with hosts? Basic architecutre: Ou=hosts -> defines a host Ou=hostGroups -> defines a group name (organizationlUnit?) Ou=hostGroups,cn=hostGroupName -> this will link what hosts are in the group Thanks for any help. -- MAT

1 0

replication on 2.4.13
by jakjr 07 Jan '09

07 Jan '09

Hello, I'm testing a multimaster config on openldap 2.4.13. I have 2 servers. Adds and Modifies are ok on both. But, when I deleted 300 entries, with server B down and this server goes up again, those entries deleted from server A are no replicated. Server B still keeping those entries. This is a bug or a config error. This is my config: ServerID XXX syncrepl rid=001 provider=ldap://<IP> type=refreshAndPersist retry="5 5 10 +" searchbase="dc=br" bindmethod=simple binddn="cn=admin,dc=br" credentials=** schemachecking=off mirrormode on overlay syncprov syncprov-checkpoint 100 1 syncprov-reloadhint TRUE syncprov-sessionlog 100 Thanks

1 1

authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
by Deepika Srivastava 07 Jan '09

07 Jan '09

Hi I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos as base mechanism. I have successfully generated the TGT. Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as mechanism. I am not sure of the parameters to pass. I read on http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/apis… in case of Kerberos,we can use the above mentioned ticket if we have the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will automatically take care of the rest of the mechanism under covers. ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp ) This is how I am calling the function but is throwing LDAP_PARAM_ERROR. I am not sure of the reason. Can anyone help me on the reason? Also i wanted to know that do we need to any configurations at the LDAP server end to do enable kerberos authentication. Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or can i directly call ldap_sasl_bind_s()? Can anyone help me on the flow of API for achieving complete authentication after achieving the kerberos ticket. . Any thoughts?

2 1

ldap.conf location help
by Sankhadip Sengupta 07 Jan '09

07 Jan '09

Hi, I am trying to make a client which will query users via an LDAP server.Now in the code I use TLS to encrypt the session. Using TLS , I face a problem that the client is unable to verify the server certificate. Connect error(-11) ssl error(1490086). When I use ldapsearch to do that it works fine.I have LDAP server on the same machine and running via loopback. I figured this problem is due to location of ldap.conf file as when I changed the entry of TLS_CACERT in the ldap.conf file (commented it out) the ldapsearch also failed which shows it is unable to locate the certificate. Is there any way to make sure that the client tools always find the correct ldap.conf file? Please help. Sankhadip

1 0

Question about ldap filter
by Jason Voorhees 06 Jan '09

06 Jan '09

Hi there: I'm trying to understand how ldap filters work. Based on this simple logic expression: EXPR_1 (or) EXPR_2 if EXPR1 returns TRUE, will slapd still try to evaluate EXPR2? or will slapd evaluate EXPR2 anyway even if EXPR_1 is true? I think that while the ldap filter is bigger then performance is worse, right? could somebody explain me a little about this logic of evaluation in ldap filters? Thanks

3 7

acl to allow access to specific parts of the tree only for a particular dn
by ben thielsen 06 Jan '09

06 Jan '09

i'd like to prevent the dn "cn=foo, ou=services, ou=accounts, dc=example, dc=com" from accessing any part of the tree outside of "ou=test, ou=other, ou=users, ou=accounts, dc=example, dc=com" and "ou=test, ou=other, ou=users, ou=groups, dc=example, dc=com", and would like that dn to have only read access to those two subtrees - the exception being that that user should of course be able/required to authenticate. i'm having trouble constructing a working acl that accomplishes this. one example attempt: dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.base="" by * read olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=groups,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to * by self write by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" none by users read by * none that particular example gets me: >ldapsearch -uxLLLWP 3 -H 'ldaps://ldap.ltn.lvc.com' -D 'cn=montage_test, ou=services, ou=accounts, dc=ltn, dc=lvc, dc=com' -b 'dc=ltn, dc=lvc, dc=com' "(objectclass=groupofnames)" dn | grep -i 'dn:' Enter LDAP Password: No such object (32) what am i missing? thanks -ben

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2009